If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ZAP false positive security warnings

For 3 months ZAP has logged blocked outbound connection attempts to reach a malware site, syssecuritypage.com. My machine was running 6.1.744.001 when this started, I updated to 6.5.737.000 and it continued.

Yesterday I performed a low level reformat of my disc drive, reloaded XP Pro and downloaded a fresh copy of 6.5.737.000. Now ZAP is telling me msimn.exe (O.E.) is attempting to reach syssecuritypage.com. I ran msimn.exe through the on-line virus scan at virustotal.com, it was clean. Before the reinstall ZAP warned that Internet Explorer, Firefox, explorer.exe and winlogon.exe were attempting to reach syssecuritypage.

I ve run security scans with ZAP anti-spyware, NOD32, Spysweeper, Trojan Hunter, Spybot and Ad Aware. Before reloading my OS I additionally ran scans with hijackthis, several rootkit, SmitFraud, Vundo and other detection software packages. All scans were negative.

The wipe and new OS install should have removed all malware. Now I suspect ZAP maybe recording false positives as I ve not seen any of the behavior of a SmitFraud infection, pop ups warning that a PC is infected and advice to download their security software to remove the pests.

I need to find out whether ZAP is recording false positives and how to either stop the warnings or find out why they are occurring. I d appreciate any help you could provide.

Re: ZAP false positive security warnings

After your system was fixed, did you turn off system restore and then reboot and turn it back on? Did you change your homepage? Also you may want to go to http://forum.malwareremoval.com/view...07f3b8314034afand get some help in making sure all evidence of the Trojan is gone.

Re: ZAP false positive security warnings

Hoov,

Yes, after I reinstalled XP from scratch System Restore was turned off and emptied. I have been working with people at a malware web site and locally for 2 months trying to track down this pest. What I would like to learn from Zone Labs is how to gather additional information about ZAP's Alert Log entries. The ones I have quesitons about offer little info and nothing from the web, only &quot;Your computer was restricted from connecting to a restricted site,&quot; an IP address and port. The site is one I manually blocked in the firewall tab in ZAP.

I've written ZAP tech support two times asking for info, either I get canned responses which are useless or no response at all.

I've discovered ZAP giving false positive warnings, last week it warned that a utility was adding three well known rootkit keys to the registry which simply was not true. The internal ZAP reference database has incorrect information. I need to find out if ZAP is misinterpreting what it is detecting and giving false warnings.

Re: ZAP false positive security warnings

While it is possible that ZoneAlarm is giving a false positive, I find it strange that its only happening to you. That said, you mention rootkit. I know rootkits can be very hard to ferret out. Low Level formats are not the fix they once used to be. I do know something about rootkits, and I know that I know enough to just be dangerous. Try going to http://www.castlecops.com/f233-Rootkit_Revelations.htmland work with the folks there on seeing if you have a rootkit (which is possible). The Castlecops staff that work that board have just spent the last 7 months or so doing research into rootkits and tools, and they would be able to better help you to make sure you don't have a rootkit. Go over there and let them know who helped you remove all your malware, and that you either have a rootkit, or something that is causing false positives pointing to a rootkit. The reason I am asking you to do this, is you have a rootkit, then nothing we do here will help you. If you are free of rootkits, then we will have to dig further.

Re: ZAP false positive security warnings

Hoov,

I've been working with the experts at Castle Cops for two months. I've run all sorts of security scans, rootkits and otherwise, without finding the mystery lurking malware (MLM.) We've narrowed it down to the three options mentioned in my last post, 1.) ZAP false positives, 2.) DLL injection 3.) Boot sector malware that can survive a low level format.

Before I purchase new disc drives and discard years of data, I'd like to get a better response from Zone Labs about the warnings ZAP is raising. ZAP's firewall tab IP lookup has now given syssecuritypage.com a new IP address, 209.85.51.157, that the Castle Cops folks are questioning.

I know you've been a guru for a long time, could you please contact your Zone Lab's sources and gather additional info for me? Perhaps how to create expert rules to log blocked attempts to the blocked site?

I ran Microsoft's Port Reporter software, that verified the outgoing connection attempts but it wasn't able to identify the local originating file. The MLM has used winlogon.exe, explorer, I.E., Firefox and recently O.E.; it's like a flea, hopping from host to host. We haven't been able to track down the local originating source.

Re: ZAP false positive security warnings

I will see if I can get you some help. I just found your thread over there.A few more questions. Have you tried resetting the ZA settings database? Also if your computer fails to connect to the site does it continue to try. Or is it one time only?

Re: ZAP false positive security warnings

After reading my Castle Cops thread, I trust you understand the effort that has gone into tracking down this malware.

Yes, I have reset ZAP's database files more than once, performed a clean switch uninstall two times and migrated from version 6.1.744.001 to version 6.5.737.000.

The outbound blocked connection frequency varies, usually bursts of 5 pings each time; some days nothing, other days one, two, five, 20+. The time of day is usually at random although for ~7 days it was each hour on the hour, to the second. Since the system wipe 3 days ago, msimn.exe (Outlook Express) was blocked two times and today Firefox was blocked once. These executables have been run through on-line virus checkers and their properties are correct. The hidden malware is hijacking legitimate system files to execute the outbound 5 ping bursts, but hiding elsewhere. For the first ~6 weeks, it only used winlogon.exe, then explorer.exe, then the browsers and finally O.E., which I normally do not use.

Please note that when I last performed a clean switch reinstall of 6.5.737.000, something on my system changed and ZAP logged thousands of blocked svchost loopbacks to my local machine. I had been manulipulating the Hosts file, adding 127.0.0.1 Malware website entries, although the file's contents looked ok I reset it using a Castle Cops utility, the blocked loopbacks disappeared. I don't know whether ZAP install or the malware caused the problem.

Re: ZAP false positive security warnings

You may have gotten the impression that have made it all the way though your other thread, I haven't, but I am working on it. After reading the first couple pages, something started nagging at me, and I went back and reread it a couple times before I figured out what was bothering me. You said,<HR>Looking through my Zone Alarm log, I've noticed that for the last eight days, windows/system32/winlogon.exe has attempted to connect to www.syssecuritypage. net, a known spyware site.
<HR>Let me know if you have done this, but have you used Process Explorer to look at all that is using Winlogon? Even in a normally operating system, there are many entries shown in Process explorer that are using winlogon. One of them could be the cause of the problem. Process Explorer is available at http://www.sysinternals.com/Utilitie...sExplorer.htmlThe new version will even let you know if that process is using TCP/IP and what IP its contacting.

Re: ZAP false positive security warnings

Hoov,

Yes, I've used process explorer and other similar utilities suggested by Castle Cops, excluding the logs I posted,look at pages ~8 to 14 on the other process / scan software. The problem we've been facing is that nothing unusual is showing up. In specific answer to your question, nothing unusual was using winlogon. Nothing unusual was using explorer, I.E., Firefox and O.E.; I posted logs and nothing was found. I ran ~50 /windows system files through on-line virus / malware scanners, all clean.

Injected DLLs have been suggested, hiding themselves inside system files and undetectable by all the scans we've thrown at them. The low level format and OS reinstall is puzzleing, except for rare boot sector viruses nothing escapes the total wipe. Which leads me to question the accuracy of ZAP's warnings.

Either I find the malware or discard my disc drives and start over again.